DPRK Threat Actor - C2 Communication DNS Indicators

    Tuesday, August 6, 2024 In: Threat Research Print

    Date: 08/06/2024

    Severity: Medium 

    Summary

    The "DPRK Threat Actor - C2 Communication DNS Indicators" refers to a set of domain names used by North Korean threat actors to facilitate command and control (C2) communications with compromised systems. These indicators are used by cybersecurity professionals to detect and mitigate attacks originating from North Korean cyber groups. By monitoring DNS traffic for these specific domains, organizations can identify and respond to potential threats from this state-sponsored group. The DNS indicators are crucial for enhancing defensive measures and protecting against sophisticated cyber operations attributed to North Korean actors.

    Indicators of Compromise (IOC) List

    QueryName

    connection.lockscreen.kro.kr

    updating.dothome.co.kr

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Sysmon" ) AND eventtype = "22") AND queryname in ("connection.lockscreen.kro.kr" , "updating.dothome.co.kr")

    Detection Query 2

    (technologygroup = "EDR" ) AND queryname in ("connection.lockscreen.kro.kr" , "updating.dothome.co.kr")

    Category: Sigma

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.